Genealogy site left personal data open to identity thieves, says commissioner
Hawkes says having citizens’ details freely available online a ‘shocking’ example of public service failure
Data Protection Commissioner Billy Hawkes: The risks involved in the site were “obvious”. Photograph: David Sleator
There were “obvious risks” associated with the availability of citizens’ personal data on the irishgenealogy.ie site, including the potential for identity theft, Data Protection Commissioner Billy Hawkes said.
The civic register data had been removed from the research resources shortly thereafter.
A note on the website said the civil records search was “temporarily unavailable” and that further updates would be provided. However, Mr Hawkes delivered a firm “no” when asked would the records be restored in their current form.
Live informationThe Irish Times
But he said someone seemed to have “missed the plot” in putting the live information on it.
“We had been consulted on it in the context of putting on the registers which were over 100 years old – that would be fine. But this was a total shock to us.”
Mr Hawkes said the person who had drawn this newspaper’s attention to the site had done “a very important public service” before it became “a treasure trove for people of evil intent”.
He expressed concern that “from the identity theft point of view” details such as mothers’ maiden names and dates of birth were on the site “for all to see”. He pointed out that anyone had a right to get a copy of records of births, marriages and deaths under the current system.
“But it’s a totally different thing to go in and pay a fee and get [it] in a physical form and having the whole lot available online.
“Obviously nobody thought about this and it’s a particularly shocking example, frankly, of the public service falling down on the job.”
Mr Hawkes said the risks involved in the site were “obvious”. He acknowledged that his office had in the past had to deal with situations where people insisted such records were “public knowledge”.
However, he added: “It’s a totally different thing to go in and ask for someone’s birth cert if you know enough about them to find it, as opposed to having the whole thing available for anyone, anywhere to find it.
“Apart from the privacy aspect of it, there is the identity theft aspect of it, which is really very serious.”
He also noted employment rights law did not allow employers to ask certain questions of potential employees. The genealogy database potentially allowed them to find “a whole lot of information”.
“I hope, at least, many people weren’t aware of it because you wouldn’t associate a genealogy site with active data. You’d assume it was for looking up your ancestors who are dead – which is no problem.”
Mr Hawkes said his office had for a long time been highlighting the need for organisations to carry out privacy impact assessments before they considered projects.
He said he would be re-emphasising the issue in an address today to the Institute of International and European Affairs in Dublin.